Sophos Small Business Suite是一款针对小型用户的桌面和服务端防护病毒的解决方案。 Sophos Small Business Suite在扫描保留MS-DOS设备时存在问题，远程攻击者可以利用这个漏洞绕过恶意代码检测。 当尝试扫描以保留MS-DOS名命名的文件和目录时存在问题，这些设备名包括LPT1、COM1、AUX、CON、PRN等。如果恶意代码嵌入保留设备名，就可以绕过检测，如果恶意代码以保留设备名命名，也可以绕过Sophos的检测。 利用这个漏洞可以使攻击者携带恶意程序到目标系统而不被发现。

-
漏洞信息

漏洞名称:Sophos Small Business Suite保留设备名处理漏洞

紧急程度:高危

漏洞类型:设计错误

发布日期:2004-11-03 00:00:00

更新日期:2005-10-20 00:00:00

攻击路径:远程

详细介绍:

Sophos Small Business Suite是一款针对小型用户的桌面和服务端防护病毒的解决方案。 Sophos Small Business Suite在扫描保留MS-DOS设备时存在问题，远程攻击者可以利用这个漏洞绕过恶意代码检测。 当尝试扫描以保留MS-DOS名命名的文件和目录时存在问题，这些设备名包括LPT1、COM1、AUX、CON、PRN等。如果恶意代码嵌入保留设备名，就可以绕过检测，如果恶意代码以保留设备名命名，也可以绕过Sophos的检测。 利用这个漏洞可以使攻击者携带恶意程序到目标系统而不被发现。

-
漏洞信息 (24623)

source: http://www.securityfocus.com/bid/11236/info
Sophos Anti-Virus is affected by a reserved MS-DOS name virus scan evasion vulnerability. This issue is due to a design error that allows certain files to avoid being scanned.
An attacker may leverage this issue to bypass the scanner protection provided by the vulnerable anti-virus scanner, giving users a false sense of security. It is reported that this issue can be leveraged to bypass both file system and email virus scanners, allowing this issue to be exploited remotely.
copy source \\.\C:\aux

-
漏洞信息 (F34463)

iDEFENSE Security Advisory 09.22.04 - Remote exploitation of a design vulnerability in version 1.00 of Sophos Plc.'s Small Business Suite allows malicious code to evade detection.

Sophos Small Business Suite Reserved Device Name Handling Vulnerability
iDEFENSE Security Advisory 09.22.04
www.idefense.com/application/poi/display?id=143&type=vulnerabilities
September 22, 2004
I. BACKGROUND
Sophos Small Business Suite includes the Sophos PureMessage Small
Business Edition, combining virus and spam protection for the email
gateway, and Sophos Anti-Virus Small Business Edition, which offers
desktop and server defense against the virus threat.
II. DESCRIPTION
Remote exploitation of design vulnerability in version 1.00 of Sophos
Plc.'s Small Business Suite allows malicious code to evade detection.
The problem specifically exists in attempts to scan files and
directories named as reserved MS-DOS devices. These represent devices
such as the first printer port (LPT1) and the first serial communication
port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN,
COM1 and LPT1.
If malicious code embeds itself within a reserved device name, it can
avoid detection by Small Business Suite when the system is scanned.
Malicious code can also potentially use reserved device names to bypass
e-mail scanning, thereby potentially delivering hostile payloads to
users. Small Business Suite will scan the files and folders containing
the virus and fail to detect or report them. Real-time protection
against malicious code is also affected; if a malicious code is copied
from a file named using a reserved MS-DOS device name to another file
also named using a reserved MS-DOS device name, Small Business Suite
will not detect it.
It may also be possible for malicious code to execute without detection
from files named using reserved MS-DOS device name. Reserved device
names can be created with standard Windows utilities by specifying the
full Universal Naming Convention (UNC) path. The following command will
successfully copy a file to the reserved device name 'aux' on the C:\
drive:
copy source \\.\C:\aux
III. ANALYSIS
Exploitation allows remote attackers to launch malicious code that can
evade detection. Remote attackers can unpack or decode an otherwise
detected malicious payload in a stealth manner. Exploitation may allow
attackers to bypass e-mail filters, thereby increasing the propensity of
a target user executing a malicious attachment.
Files and directories using reserved MS-DOS device names can be removed
by specifying the full Universal Naming Convention (UNC) path. The
following command will successfully remove a file stored on the C:\
drive named 'aux':
del \\.\C:\aux
IV. DETECTION
Sophos Small Business Suite 1.00 is confirmed affected. Earlier versions
reportedly crash upon the parsing of files or directories employing
reserved MS-DOS device names.
V. WORKAROUND
Explicitly block file attachments that use reserved MS-DOS device names.
Ensure that no local files or directories using reserved MS-DOS device
names exist. On most modern Windows systems, reserved MS-DOS device
names should not be present. While the Windows search utility can be
used to locate offending files and directories, either a separate tool
or the specification of Universal Naming Convention (UNC) should be used
to remove them.
VI. VENDOR RESPONSE
"LPT1, LPT2, COM1 etc are reserved by the operating system for devices.
Despite this, Windows will allow these strings to be used as file names
and when such files are accessed, the operating system attempts to treat
them as devices rather than files except under the circumstances you
have outlined.
Although this vulnerability has never been exploited by a virus it could
be theoretically be used to contain viral code. Sophos has improved its
code within both its on-access and on-demand scanners to deal with these
improperly named files as files and not devices.
This improvement to Sophos Anti-Virus will be included in version 3.86
(available 22/09/04)."
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0552 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
08/06/2004 Initial vendor notification
08/06/2004 iDEFENSE clients notified
08/09/2004 Initial vendor response
09/22/2004 Coordinated public disclosure
IX. CREDIT
Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

-
不受影响的程序版本

-
漏洞讨论

Sophos Anti-Virus is affected by a reserved MS-DOS name virus scan evasion vulnerability. This issue is due to a design error that allows certain files to avoid being scanned.

An attacker may leverage this issue to bypass the scanner protection provided by the vulnerable anti-virus scanner, giving users a false sense of security. It is reported that this issue can be leveraged to bypass both file system and email virus scanners, allowing this issue to be exploited remotely.

-
漏洞利用

No exploit is required to leverage this issue. Reportedly it is possible to change the name of a file to an MS-DOS reserved device file name using the following command (in this example, AUX is the target device name):

copy source \\.\C:\aux

-
解决方案

The vendor has reported that a new version of the affected software has been released. Please contact the vendor for information on obtaining the upgrade.